The Cyberspace Administration of China (CAC) has released new standard contract measures for the cross-border transfer of personal information. These measures are designed to interact with China’s Personal Information Protection Laws (PIPL) to denote when Chinese companies may transfer personal information overseas.
The new regulations require companies to obtain a certification from a designated authority before transferring personal data overseas. This certification is called a “security assessment” and is designed to ensure that the data being transferred is adequately protected from cyber threats and other risks.
Under the new rules, companies must also enter into a standard contract with the recipient of the data that sets out the purpose, scope, and method of the data transfer. The contract must also include provisions for data protection and confidentiality and must be filed with the relevant authorities. A template standard contract is affixed to the schedule of the new law to be used by companies.
The regulations come in response to growing concerns about data privacy and security, both in China and around the world. With the increasing volume of personal data being generated and transferred globally, there is a growing need for governments to take steps to protect this information from misuse and abuse. While the new regulations may create additional administrative burdens for companies operating in China, they also offer important benefits. By establishing clear guidelines and procedures for data transfer, the regulations help to ensure that personal information is being handled in a responsible and ethical manner. This can help to build trust between companies and their customers and can also help to mitigate the risk of costly data breaches and other security incidents.
The measures will take effect on 1 June 2023 for any new transfers. For transfers that occurred prior to this date, a grace period of six months is allowed before the transfer is to be properly documented and compliant.
For a full reading of the legislation, see here.